Security at Netlify

Last reviewed by Netlify Support: July 2023

Netlify believes that the Jamstack approach to building websites and apps offers clear security benefits by default, and we at Netlify take security extremely seriously as a matter of principle. Our operations and business are SOC-2 certified, our staff are trained on security current best practices, and we pay close attention to handling of your data and access to our systems. We also provide certificates via Let’s Encrypt to all customers who configure our SSL on their site.

You can find out some more details about our security practices on our security page. You’ll see that all our internal traffic is encrypted, sensitive information such as passwords and access keys are encrypted at rest, and that we have disaster recovery plans that have been thoroughly tested. We regularly contract with external agencies for scheduled penetration testing, and at the DNS layer we run two completely redundant DNS networks so we have a failover in place if needed.

Nonetheless, if you feel you have found a security problem on our platform, we want to hear about it immediately! We have a commitment to working to resolve legitimate issues as quickly as possible to protect Please report it to security@netlify.com, which activates our Bug Bounty program! Alternatively, you can submit via HackerOne. We very much appreciate your responsible reporting of potentially sensitive issues.

If you see an abusive site hosted on Netlify, please send an email to fraud@netlify.com. Please include the site URL and reason for your report, and we will reply promptly.

If you are thinking of running penetration tests on our platform, we want you to know that according to our Terms of Use, such tests require explicit written permission before launching. You’ll need to get in touch with Netlify support in advance of any planned tests to obtain this permission. Please post in the Admin section of this site, and we will DM you to have a 1:1 conversation. Please also note that we require at least a week’s notice before you’d launch a test, and once permission is granted, we’ll be happy to work with you to verify your test is working correctly and help you interpret the results.

5 Likes

A post was split to a new topic: Penetration test results